Microsoft Stops Russian Hackers From Targeting Ukraine With Domain Takeover

pcmag.com:

Microsoft says it derailed a Russian hacking effort targeting groups in Ukraine, including media organizations.  

The company secured a court order on Wednesday to take over seven internet domains the Russian hackers were using to conduct the attacks, according to Microsoft corporate vice president Tom Burt.

Microsoft is blaming the attacks on a Russian state-sponsored hacking group dubbed Strontium, also known as Fancy Bear or APT 28, which famously breached the Democratic National Committee during the 2016 election. US intelligence claims the hacking unit works for Russia's military intelligence, the GRU.

“We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications,” Burt wrote in a blog post.

On Twitter, Burt also shared an example of one of the attacks, which involved a phishing message containing a PDF document named “corruption_2022.” Burt didn’t elaborate on the attacks, but the document is likely designed to load malware on the victim’s computer. 

“We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information,” Burt added. “We have notified Ukraine’s government about the activity we detected and the action we’ve taken.”

Despite the domain takeovers, Microsoft said the phishing attacks from Strontium are only “a small part” of the hacking activities the company has seen in Ukraine. Cyberwarfare targeting the country “has escalated since the invasion began and has continued relentlessly," Burt noted.

“Since then, we have observed nearly all of Russia’s nation-state actors engaged